mailman doesn't receive messages from sendmail on fresh F8 install
Daniel J Walsh
dwalsh at redhat.com
Wed Feb 20 13:14:22 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Edward Kuns wrote:
> On Tue, 2008-02-19 at 17:03 -0500, Daniel J Walsh wrote:
>> Check to see if the relabel worked without the module
>>
>> # semodule -r mymailman
>>
>> Now try it again. This should work without AVC messages
>
> Interestingly, this does work and doesn't work, but it fails at a later
> stage than it used to. What does this mean? The message appears to get
> delivered, but I also get an selinux complaint referring to the mail
> spool file:
>
Could mean that sendmail has an open file descriptor to a file in the
mqueue_spool and it leaked it to mailman.
I don't think mailman reads /var/spool/mqueue/dfm1K3MwNg031190 directly.
> Summary
> SELinux is preventing /usr/lib/mailman/mail/mailman (mailman_mail_t)
> "read"
> to /var/spool/mqueue/dfm1K3MwNg031190 (mqueue_spool_t).
>
> Detailed Description
> SELinux denied access requested by /usr/lib/mailman/mail/mailman. It
> is not
> expected that this access is required
> by /usr/lib/mailman/mail/mailman and
> this access may signal an intrusion attempt. It is also possible
> that the
> specific version or configuration of the application is causing it
> to
> require additional access.
>
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could
> try to
> restore the default system file context for
> /var/spool/mqueue/dfm1K3MwNg031190, restorecon -v
> /var/spool/mqueue/dfm1K3MwNg031190 If this does not work, there is
> currently
> no automatic way to allow this access. Instead, you can generate a
> local
> policy module to allow this access - see
> http://fedora.redhat.com/docs
> /selinux-faq-fc5/#id2961385 Or you can disable SELinux protection
> altogether. Disabling SELinux protection is not recommended. Please
> file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
> package.
>
> Additional Information
>
> Source Context system_u:system_r:mailman_mail_t:s0
> Target Context system_u:object_r:mqueue_spool_t:s0
> Target Objects /var/spool/mqueue/dfm1K3MwNg031190
> [ file ]
> Affected RPM Packages mailman-2.1.9-8.2.fc8 [application]
> Policy RPM selinux-policy-3.0.8-84.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.catchall_file
> Host Name kilroy.chi.il.us
> Platform Linux kilroy.chi.il.us 2.6.23.15-137.fc8
> #1 SMP
> Sun Feb 10 17:48:34 EST 2008 i686 i686
> Alert Count 1
> First Seen Tue 19 Feb 2008 09:22:58 PM CST
> Last Seen Tue 19 Feb 2008 09:22:58 PM CST
> Local ID c52fd5cd-781f-4178-ae56-dd979cb54ab6
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { read } for comm=mailman dev=dm-2 egid=41 euid=8
> exe=/usr/lib/mailman/mail/mailman exit=0 fsgid=41 fsuid=8 gid=12 items=0
> path=/var/spool/mqueue/dfm1K3MwNg031190 pid=31193
> scontext=system_u:system_r:mailman_mail_t:s0 sgid=41
> subj=system_u:system_r:mailman_mail_t:s0 suid=8 tclass=file
> tcontext=system_u:object_r:mqueue_spool_t:s0 tty=(none) uid=8
>
>
>
>
> Summary
> SELinux is preventing /usr/lib/mailman/mail/mailman (mailman_mail_t)
> "read"
> to /var/spool/mqueue/dfm1K3MwNg031190 (mqueue_spool_t).
>
> Detailed Description
> SELinux denied access requested by /usr/lib/mailman/mail/mailman. It
> is not
> expected that this access is required
> by /usr/lib/mailman/mail/mailman and
> this access may signal an intrusion attempt. It is also possible
> that the
> specific version or configuration of the application is causing it
> to
> require additional access.
>
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could
> try to
> restore the default system file context for
> /var/spool/mqueue/dfm1K3MwNg031190, restorecon -v
> /var/spool/mqueue/dfm1K3MwNg031190 If this does not work, there is
> currently
> no automatic way to allow this access. Instead, you can generate a
> local
> policy module to allow this access - see
> http://fedora.redhat.com/docs
> /selinux-faq-fc5/#id2961385 Or you can disable SELinux protection
> altogether. Disabling SELinux protection is not recommended. Please
> file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
> package.
>
> Additional Information
>
> Source Context system_u:system_r:mailman_mail_t:s0
> Target Context system_u:object_r:mqueue_spool_t:s0
> Target Objects /var/spool/mqueue/dfm1K3MwNg031190
> [ file ]
> Affected RPM Packages mailman-2.1.9-8.2.fc8 [application]
> Policy RPM selinux-policy-3.0.8-84.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.catchall_file
> Host Name kilroy.chi.il.us
> Platform Linux kilroy.chi.il.us 2.6.23.15-137.fc8
> #1 SMP
> Sun Feb 10 17:48:34 EST 2008 i686 i686
> Alert Count 1
> First Seen Tue 19 Feb 2008 09:22:58 PM CST
> Last Seen Tue 19 Feb 2008 09:22:58 PM CST
> Local ID c52fd5cd-781f-4178-ae56-dd979cb54ab6
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { read } for comm=mailman dev=dm-2 egid=41 euid=8
> exe=/usr/lib/mailman/mail/mailman exit=0 fsgid=41 fsuid=8 gid=12 items=0
> path=/var/spool/mqueue/dfm1K3MwNg031190 pid=31193
> scontext=system_u:system_r:mailman_mail_t:s0 sgid=41
> subj=system_u:system_r:mailman_mail_t:s0 suid=8 tclass=file
> tcontext=system_u:object_r:mqueue_spool_t:s0 tty=(none) uid=8
>
>
> If I repeat the procedure from earlier, I get a longer mymailman.te file
> that contains the following:
>
>
> module mymailman2 1.0;
>
> require {
> type sendmail_t;
> type mailman_mail_t;
> type mailman_log_t;
> type mailman_data_t;
> type mqueue_spool_t;
> class unix_stream_socket { read write };
> class dir { write remove_name search add_name };
> class file { write rename getattr read create append };
> }
>
> #============= mailman_mail_t ==============
> allow mailman_mail_t mqueue_spool_t:file { read write };
> allow mailman_mail_t sendmail_t:unix_stream_socket { read write };
>
> #============= sendmail_t ==============
> allow sendmail_t mailman_data_t:dir { write remove_name add_name };
> allow sendmail_t mailman_data_t:file { write rename getattr create };
> allow sendmail_t mailman_log_t:dir search;
> allow sendmail_t mailman_log_t:file { read getattr append };
>
> It appears that I don't need all of these rules. Looking at the two
> files, I see a *.pp file that appears to be a binary file and a *.te
> file that is human readable. But I'm not sure how to create a policy
> file that's just the text file.
>
> I also don't know why mailman wants access to the spool file, but with
> the above I get no complaints when I send mail to the list. Without the
> above I still get a complaint, although the mail appears to get
> delivered OK.
>
> Eddie
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAke8J60ACgkQrlYvE4MpobORRgCfVr249LQxcjRHyIPwHhmovUV3
cbwAoMIXtY35qkG8qNLzpP8bpYNjfIuI
=blTj
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list